Hello - We are experiencing high CPU usage from the winlogbeat agent on a single system that is generating an extremely high volume of PowerShell Operational logs. Once we remove PowerShell logging entirely, the CPU usage drops considerably. My questions are:
Where is log processing the most intensive in the entire shipping process? IE: Is it most intensive when the logs are getting shipped or is it when the logs are being searched for specific events, fields, etc?
Would specifying certain conditions that would drastically lower the amount of logs being shipped likely lower the CPU usage or would it likely still be very high because it has to search for those conditions in all of the PowerShell logs?
We are also applying processors to the PowerShell events so that some of the event normalization is occurring on the host prior to shipping to us (see below).
when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
lang: javascript
id: powershell-operational
file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
Our hope is to tune the config so that it cuts down the shipped logs by 90%, but if searching those events for specific conditions requires a lot of CPU then it may not be a solution to our problem.
Thanks in advance.